LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-27-2013, 12:41 AM   #1
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Rep: Reputation: 15
Samba not working with Samba Server joined to ADS


Hello,

I cannot browse or open any samba shares from a windows client machine.

I have integrated the Samba Server into ADS and have tried setting up smb.conf to allow a windows domain user access samba shares. It fails. Below are steps I did for setting up the Samba Server as a Domain Member Server.

I would like to still use PAM authentication (that fails even). I also have VSFTP installed and would like that integrated to authenticate against ADS. Please help!

messagebus, oddjob, winbind, openldap, smb are all running.

STEPS I TOOK:
Code:
Promote Linux Server to full functioning Samba Server and Domain Member Server
DUZIT (PX9130426-2038-EC01F) Linux Samba to Member Server.

yum install openldap

1. Run authconfig command on NOMAD
2. Modify /etc/samba/smb.conf, global settings
3. Update PAM config
	Ensure PAM accepts local accounts
4. Join NOMAD (Samba Server) to PROXIMA domain
	"net ads join" command
5. Update Kerberos 5 config
	Ensure Kerberos can look up uid/gid in PROXIMA.LOCAL realm
	Check KDC with host command
6. Check NSSSWITCH.CONF
7. Update IPTABLES

DETAILS:

AUTHCONFIG

authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=PROXIMA \
--smbrealm=PROXIMA.LOCAL \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/PROXIMA/%U \
--winbindtemplateshell=/bin/false \
--enablekrb5 \
--krb5realm=PROXIMA.LOCAL \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
--updateall

SMB.CONF

.
.
.
.
Add these lines to [global]

	idmap config PROXIMA:backend = rid
    	idmap config PROXIMA:base_rid = 500
    	idmap config PROXIMA:range = 500-1000000

Comment out these lines in [global]

	#  idmap uid = 16777216-33554431
	#  idmap gid = 16777216-33554431

JOIN NOMAD TO THE DOMAIN
.
.
.
[root@nomad home]# net ads join -U sysadmin
sysadmin's password:
Using short domain name -- PROXIMA
DNS update failed! # DNS entry manually created beforehand!
Joined 'NOMAD' to realm 'PROXIMA.LOCAL'
[root@nomad home]# service smb restart

[root@nomad home]# /etc/rc.d/init.d/messagebus restart
Stopping system message bus:                               [  OK  ]
Starting system message bus:                               [  OK  ]
[root@nomad home]# chkconfig smb on
[root@nomad home]# chkconfig  winbind on
[root@nomad home]# chkconfig  oddjobd on



KRB5.CONF

.
.
.
[libdefaults]
 default_realm = PROXIMA.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 # ticket_lifetime = 24h
 ticket_lifetime = 600
 forwardable = yes
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc 

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 PROXIMA.LOCAL = {
  kdc = filer.proxima.local
  kdc = COMPILER.proxima.local
  default_domain = PROXIMA
 }

[domain_realm]         
 proxima.local = PROXIMA.LOCAL
 .proxima.local = PROXIMA.LOCAL
.
.
.


[root@nomad ~]# host -t any _kerberos._tcp.proxima.local
_kerberos._tcp.proxima.local has SRV record 0 100 88 compiler.proxima.local.
_kerberos._tcp.proxima.local has SRV record 0 100 88 filer.proxima.local.

NSSSWITCH.CONF

.
.
.
passwd:     files winbind
shadow:     files winbind
group:      files winbind

passwd:     compat winbind  
shadow:     compat  
group:      compat winbind
.
.
.

TEST ADS COMMUNICATION

[root@nomad ~]# net ads info
LDAP server: 172.17.10.10
LDAP server name: filer.proxima.local
Realm: PROXIMA.LOCAL
Bind Path: dc=PROXIMA,dc=LOCAL
LDAP port: 389
Server time: Fri, 26 Apr 2013 23:15:43 CDT
KDC server: 172.17.10.10
Server time offset: -12

TEST A USER ACCOUNT

[root@nomad ~]# kinit dummy@PROXIMA.LOCAL
Password for dummy@PROXIMA.LOCAL:
[root@nomad ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: dummy@PROXIMA.LOCAL

Valid starting     Expires            Service principal
04/26/13 23:17:27  04/26/13 23:27:27  krbtgt/PROXIMA.LOCAL@PROXIMA.LOCAL


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
A SAMBA SHARE EXAMPLE:

[root@nomad ~]# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[FTP]"
Processing section "[Shekinya]"
Processing section "[printers]"
Processing section "[shared]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = PROXIMA
realm = PROXIMA.LOCAL
server string = Samba Server
security = ADS
obey pam restrictions = Yes
passdb backend = tdbsam
guest account = samba
template homedir = /home/PROXIMA/%U
template shell = /sbin/nologin
winbind separator = +
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config PROXIMA:range = 16777216-33554431
idmap config PROXIMA:base_rid = 500
idmap config PROXIMA:backend = rid
cups options = raw

[homes]
comment = Home Directories
valid users = MYDOMAIN\%S
read only = No

[FTP]
comment = FTP Directories
path = /home
valid users = @PROXIMA+echatham, @echatham, @sysadmin, @root
create mask = 0700
directory mask = 0700
inherit permissions = Yes
inherit acls = Yes
guest ok = Yes

[Shekinya]
comment = Shekinya Website
path = /var/www/html/shekinya
valid users = @echatham, @sysadmin, @root
read only = No
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[shared]
comment = HPPAV main share
path = /mnt/shares/samba_t
read only = No
inherit permissions = Yes
guest ok = Yes

Last edited by Treikayan; 04-27-2013 at 12:44 AM.
 
Old 04-27-2013, 01:45 AM   #2
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Original Poster
Rep: Reputation: 15
Ok, one thing I did change was the delimiters for the shares: "@," "\," and "+." I can't tell if the "\" "+" is the correct delimiter in the config, but "@" is for searching a group. I think the "\" works though.

Code:
[homes]
        comment = Home Directories
        valid users = PROXIMA\%S
        read only = No

[FTP]
        comment = FTP Directories
        path = /home
        valid users = PROXIMA+echatham, PROXIMA\echatham, @echatham, @sysadmin, @root
        create mask = 0700
        directory mask = 0700
        inherit permissions = Yes
        inherit acls = Yes
        guest ok = Yes

[Shekinya]
        comment = Shekinya Website
        path = /var/www/html/shekinya
        valid users = PROXIMA\sysadmin, @echatham, @sysadmin, @root
        read only = No
        guest ok = Yes
I commented out this line too in smb.conf

Code:
#   winbind separator = +
I still would like to integrate VSFTP to use ADS authentication though. Also, is there a way to map the "Domain Admins" group to the "root" group?

Thank you.
 
Old 04-27-2013, 02:11 AM   #3
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Original Poster
Rep: Reputation: 15
Nope still having problems. I log onto the windows client as "echatham." I commented out the UNIX user echatham in /etc/passwd.

Now, I cannot browse to the Samba Server at all if I try logging on with the DOMAIN account to get to the Samba Server.

For some reason, the admin account (I used to join to ADS) shows up when I browse to the Samba Server. I can tell this because the home directory that displays is the ADMIN account. So, trying this in Windows

Quote:
C:\>runas /user:PROXIMA\echatham "explorer.exe /seperate"
Enter the password for PROXIMA\echatham:
Attempting to start explorer.exe /seperate as user "PROXIMA\echatham" ...
Then attempting to browse to the server in the new Windows Explorer pane fails. It keeps asking me to logon. When I put the domain account in, it fails.

Last edited by Treikayan; 04-27-2013 at 02:14 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
samba server with ads soumalya Linux - Server 12 08-21-2008 08:01 AM
ADS login with Samba file server ksri07091983 Linux - Server 4 01-22-2008 04:03 AM
can't install software and printer joined samba 3.0 server alris Linux - General 0 10-29-2004 03:30 AM
can't install software and printer when joined samba 3.0 server alris Linux - Networking 1 10-28-2004 09:56 PM
Samba with ADS as a home directory file server? xwoz Linux - Software 0 08-16-2004 08:50 AM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration